# Requesting Kubernetes access This topic describes how to request access to a Kubernetes cluster using P0's Slack bot. It contains the following sections: * [Request Access in Slack](#request-access-in-slack) * [Slack Bot Request Approval, Denial, and Errors](#slack-bot-request-approval-denial-and-errors) * [How Kubernetes Access Works](#how-kubernetes-access-works) ## Request Access in Slack To request access using the Slack bot: 1. Open Slack and send `/p0 request` as a Slack message in any direct message (DM) or Slack channel. This opens the P0 request modal:\\

2. In the popup, set **Resources** to **Kubernetes**, specify the cluster name, and populate the remaining fields with the specific access you want to request. * cluster-admin * admin * edit * view {% hint style="info" %} By default, you can request all resources except system resources, such as objects in the kube-system namespace. The same applies to roles, however, you can request the following pre-defined Kubernetes cluster roles: {% endhint %}

2. Click **Request** to initiate the request process. The Slack bot will: * Generate a message confirming your request creation. * Send a message to the approvers in the Slack channel designated by your organization's admin. The following describes how P0 handles different scenarios: * If your request is approved, the Slack bot generates a message in the **p0-requests** Slack channel, indicating your access has been granted, and when it will expire. * If you are on-call (on a PagerDuty schedule) and your organization's admin has enabled PagerDuty routing, your access may be automatically approved for one hour. ## Slack Bot Request Approval, Denial, and Errors Your request must be approved or denied by an authorized member of your organization. Once approved or denied, you will have options to change / update your request within the **P0 Security** Slack DM. {% hint style="info" %} On occasion you may run into request errors, and the bot will notify you during your request. {% endhint %} To learn more see the following subsections: * [Slack Bot Request Approval](#slack-bot-request-approval) * [Slack Bot Request Denial](#slack-bot-request-denial) * [Request Access Error](#request-access-error) ### Slack Bot Request Approval After your request is approved, the Slack bot displays a **Relinquish** button within the **P0 Security** Slack DM, with a link to the original **p0-requests** channel. You can use this button to remove your access early, if you complete use prior to the expiration date. {% hint style="info" %} This revokes the access, and you must make a new request if you need it again. {% endhint %}

Once access expires (either through timing out, or via the Relinquish button), the Slack bot sends an expiration message from the **P0 Security** app Slack DM and the **p0-requests** channel. {% hint style="info" %} You may re-request the same access using the Request Access button, if you need to extend your session. {% endhint %}

### Slack Bot Request Denial If your request is denied, the Slack bot sends a message from the **P0 Security** Slack DM and the **p0-requests** channel, indicating the reason for denial. Example from the **P0 Security** Slack DM:

Example from the **p0-requests** channel:

### Request Access Error If there is an error with your request, due to prerequisite permissions issues, the Slack bot sends a message from the P0 Security Slack DM and the **p0-requests** channel, indicating the reason for the error. Example from the **P0 Security** Slack DM:

Example from the **p0-requests** channel:

## How Kubernetes Access Works When a request is approved, P0 creates a temporary cluster role from the role's rules that apply to the selected resource. This cluster role is then assigned to the requestor with one of the following: * **Cluster role binding** (if the resource is a cluster-level resource or the request applies to all namespaces) * **Namespaced role binding** (If the resource is in a specific namespace) ### Example The following screenshot shows how to request the `view` cluster role and `Deployments / default / nginx-deployment resource` with read access to the `nginx-deployment` in the `default` namespace.

Upon approval of this request P0, creates a cluster role and role binding. The generated role contains all the rules from the view cluster role that apply to a deployment resource, restricted only to `nginx-deployment`: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: creationTimestamp: "2077-08-19T22:01:29Z" name: p0-view-Deployments-VpL... resourceVersion: "425167" uid: 0592e... rules: - apiGroups: [apps] resourceNames: [nginx-deployment] resources: [deployments] verbs: [get, list, watch] - apiGroups: [extensions] resourceNames: [nginx-deployment] resources: [deployments] verbs: [get, list, watch] ``` The generated namespaced role binding links the cluster role to the requestor `john.smith@company.com`: ```yaml apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: creationTimestamp: "2077-08-19T22:01:29Z" name: p0-view-Deployments-VpL...-binding namespace: default resourceVersion: "425168" uid: c0a5ea1... roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: p0-view-Deployments-VpL... subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: john.smith@company.com ``` If the Kubernetes cluster is hosted on AWS EKS, then P0 also modifies the `aws-auth` ConfigMap object to map the user ARN to the Kubernetes user `john.smith@company.com`. ```yaml apiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::12...:role/eksNodeRole username: system:node:{{EC2PrivateDNSName}} mapUsers: | - userarn: arn:aws:iam::12...:user/john.smith@company.com username: john.smith@company.com kind: ConfigMap metadata: creationTimestamp: "2077-08-17T21:34:09Z" name: aws-auth namespace: kube-system resourceVersion: "425175" uid: b8f11... ```